b"                         FOR OFFICIAL USE ONLY\n\n     FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                 SECURITY WEAKNESSES IN DOT\xe2\x80\x99S\n                COMMON OPERATING ENVIRONMENT\n                 EXPOSE ITS SYSTEMS AND DATA\n                        TO COMPROMISE\n\n                       Department of Transportation\n\n                           Report No. FI-2013-123\n                       Date Issued: September 10, 2013\n\n\n\n\nThis document contains information exempt from mandatory disclosure under\nFOIA. Exemptions 3 and 7(e) apply.\n\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be Determined under 5 U.S.C.\n552, Freedom of Information Act.\n\n    FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0c           FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n\n\n\n           U.S. Department of\n                                                                 Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Security Weaknesses in DOT\xe2\x80\x99s                                             Date:    September 10, 2013\n           Common Operating Environment Expose Its\n           Systems and Data to Compromise\n           Report No. FI-2013-123\n\n  From:    Louis C. King                                                                 Reply to\n                                                                                         Attn. of:   JA-20\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n    To:    Chief Information Officer\n\n           In 2003, the Department of Transportation (DOT) implemented a common\n           operating environment (COE) network to centralize its information technology\n           (IT) services. The Office of the Chief Information Officer (OCIO) manages the\n           COE, which provides email management, computer infrastructure, internet access,\n           and other IT services to over 10,000 users in all of DOT\xe2\x80\x99s operating\n           administrations (OA) except the Federal Aviation Administration. Due to the\n           COE\xe2\x80\x99s centralized nature, any security vulnerabilities within the COE put its users\n           at risk for compromise, and could impair DOT\xe2\x80\x99s ability to accomplish its mission.\n\n           We initiated this audit to review DOT\xe2\x80\x99s security controls for protecting the COE\n           and the information it contains. Our objectives were to determine: (1) whether the\n           COE is as safe from compromise as possible; and (2) what, if any, security\n           vulnerabilities the COE contains.\n\n           To conduct our work, we reviewed the COE\xe2\x80\x99s network documentation and\n           security policies to establish a baseline view of the environment. We performed\n           external and internal assessments that covered the COE\xe2\x80\x99s entire network. These\n           assessments included penetration tests, 1 vulnerability scans, and manual tests of\n           networked systems, websites, and infrastructure to identify any weaknesses in\n           DOT\xe2\x80\x99s security controls. We also interviewed COE personnel. As part of this audit\n           we selected a statistical sample of 134 of 5,735 computers that allowed us to\n\n\n           1\n            Penetration testing validates or invalidates security controls\xe2\x80\x99 proper operation by emulating methods hackers use to\n           compromise systems.\n\n           FOR OFFICIAL USE ONLY. Public Availability To Be\n           Determined under 5 U.S.C. 552, Freedom of Information Act.\n           FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                                                       2\n\nproject the number of computers that had critical vulnerabilities. 2 Exhibit A\nprovides more details on our scope and methodology. We conducted our audit\nwork from February 2012 to July 2013 in accordance with generally accepted\nGovernment auditing standards.\n\nRESULTS IN BRIEF\n\n(FOUO) The COE is not secure from compromise. During our penetration\ntesting\xe2\x80\x94tests that are similar or identical to attacks by hackers\xe2\x80\x94we gained full\naccess to the COE network. The National Institute of Standards and Technology\n(NIST) provides comprehensive guidance to agencies on how to protect their\nnetworks from intrusions. NIST also provides guidance on handling security\nincidents, including intrusions such as the unlimited access we gained to the\nnetwork. But the COE\xe2\x80\x99s incident handling process did not detect our intrusion. As\na result, we continued to have full access for over a week before the COE\xe2\x80\x99s\nmanagement discovered and terminated our presence on the network.\n\n\n\n                                                                              These\ndeficiencies, which are the result of ineffective security controls, put the COE at\nrisk of unauthorized access and its systems and information at risk of compromise.\n\n(FOUO) The COE contains vulnerabilities that could allow the compromise of\nsensitive data. Thirty of 205 servers with internet accessible websites contained\ncritical vulnerabilities.\n\n\n                 Furthermore, OCIO does not maintain an accurate inventory of\ncomputer devices on the COE, preventing the identification of unauthorized\nsystems. The COE also has weak user identity authentication controls because\nOCIO has not fully implemented multifactor identity authentication, 3 and\n                                                                 Finally, OCIO\ndoes not perform required security testing on the COE to identify and remediate\ncommon vulnerabilities typically used by network attackers, and does not\neffectively document vulnerabilities for resource allocation and remediation.\n2\n  A critical vulnerability requires immediate attention. They are relatively easy for attackers to exploit and may provide\nthem with full control of the affected systems.\n3\n  Multifactor authentication requires users to provide at least two methods of identity authentication, such as a\npassword and a personal identity verification card, security token, or biometric, such as a fingerprint, to access the\ninformation system.\n4\n  A password, such as the word \xe2\x80\x9cpassword,\xe2\x80\x9d is weak if it is relatively easy to guess.\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                                                       3\n\nNIST, the Office of Management and Budget (OMB), and DOT policies identify\nrequirements to secure networks and reduce these vulnerabilities. The lack of these\nrequired controls on the COE puts its networks, systems and data at risk for\ncompromise.\n\nWe are making six new recommendations to assist OCIO in securing the COE\xe2\x80\x99s\nsensitive data and critical functions. The recommendations in this report are in\naddition to four open recommendations from our Federal Information Security\nManagement Act (FISMA) audits, which are identified in Exhibit B.\n\nBACKGROUND\n\nDOT\xe2\x80\x99s COE provides ten OAs at the Department\xe2\x80\x99s Headquarters in Washington,\nDC, with IT services, such as data storage, email and web application access, and\ndatabase services. The COE also provides a centralized environment for\napplications that OAs use in support of their operations. To use the COE, OAs\nenter into agreements with OCIO that define their responsibilities, including\nregular scanning for vulnerabilities, to maintain their applications and systems in a\nsecure manner. Due to its importance to the DOT\xe2\x80\x99s mission, OCIO assigned the\nCOE an impact rating of high as defined by NIST. 5\n\nOMB and NIST provide policies and guidelines to Federal agencies in IT security.\nDOT\xe2\x80\x99s Cybersecurity Compendium establishes policies, processes, procedures,\nand standards for the Department\xe2\x80\x99s information systems security. It also requires\nOAs to record detected weaknesses in their information systems and plans of\naction and milestones (POA&M) to correct them in the Department\xe2\x80\x99s Cyber\nSecurity Assessment and Management (CSAM) system. CSAM tracks system\nweaknesses and their remediation.\n\n\n\n\n5\n  NIST\xe2\x80\x99s Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal\nInformation and Information Systems, defines impact as high if the loss of confidentiality, integrity, or availability is\nexpected to have a severe or catastrophic effect on organizational operations, assets, or individuals.\n\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                                                     4\n\nTHE COE IS NOT SECURE FROM COMPROMISE\n\nOur penetration testing demonstrated that the COE is not secure from compromise.\nWe were able to gain unauthorized access to the network due to use of insecure\nuser identity authentication methods. COE administrators remained unaware of\nour access for over a week because an effective method of incident detection for\nthe COE does not exist. Furthermore, OCIO does not ensure that OAs conduct\ntesting of COE users\xe2\x80\x99 security awareness and some users were unable to recognize\nthe types of social engineering emails that we sent\xe2\x80\x94types of email frequently used\nto gain unauthorized access to networks.\n\nWe Gained Unauthorized Access to the COE\n\n(FOUO) Using common computer hacking procedures, we gained unauthorized\naccess to the COE\xe2\x80\x99s network and sensitive applications. NIST and DOT policies\ncall for agencies to require a high level of password complexity for system access,\nsuch as a minimum number of characters that include a mix of upper and lower\ncase letters, numbers, and special characters. Furthermore, DOT policy requires\nOAs to employ encryption to prevent unauthorized disclosure of information\nduring transmission.\n\n\n\n                              These practices made it easy for us to discover and\ndecode network                                using tools and methods available on\nthe internet. By using an administrator\xe2\x80\x99s captured user id and password, we gained\naccess to sensitive data such as drug testing results, and legal information. We also\ngained control of an uninterrupted power supply that the Federal Highway\nAdministration uses to provide backup electrical power to its server. In addition,\nafter accessing the COE network, we were able to intercept and redirect network\ntraffic and gain full access to the Department\xe2\x80\x99s other servers and sensitive data.\n\nOCIO\xe2\x80\x99s Ineffective Incident Detection Makes the COE Vulnerable\n\n(FOUO) OCIO cannot always detect and recognize security breaches in the COE.\nNIST recommends that agencies use automated incident detection methods 6 for\nhigh impact systems such as the COE.\n\n                       As a result, OCIO did not detect our presence in the COE for over\n6\n  Software that monitors network security incidents, such as denial of service attacks, unauthorized access and devices\nthat attempt connection to the network.\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                                                     5\n\na week. In addition, once we gained access, we created our own administrative\naccount that OCIO personnel did not detect and remained unaware of until we\ninformed them several weeks later. When we notified them of our successful\npenetration, COE personnel informed us that the COE\xe2\x80\x99s monitoring system did not\ndetect our unauthorized activity. In addition, we performed vulnerability and\npenetration testing of DOT websites and server security from outside the COE\xe2\x80\x99s\nnetwork that COE administrators also did not detect.\n\nThe absence of network surveillance and monitoring allowed our unauthorized\ninterception and manipulation of data transmitted across the network. While OST\nhas a memorandum of agreement with the DOT\xe2\x80\x99s Cyber Security Management\nCenter (CSMC) 7 regarding network monitoring and surveillance services for the\nCOE, it does not require its full enforcement. For example, CSMC has not\ndeveloped a network diagram or collected device configuration data for all active\nCOE network hardware\xe2\x80\x94needed information for proper configuration of tools for\nscanning and incident detection. OAs must provide CSMC an inventory of all\nnetworks and devices in use by their organization. OCIO was unable to provide\nevidence that it had given this information to CSMC.\n\nThe COE Is Vulnerable to Unauthorized Access Due to Users\xe2\x80\x99\nNonadherence to Sound Email Security Practices\n\nThe COE is also vulnerable to social engineering emails\xe2\x80\x94deceptive emails that\nare meant to cause people to break security procedures and provide proprietary\ninformation such as passwords and account numbers. DOT policy requires OAs to\nconduct periodic exercises\xe2\x80\x94such as sending emails that contain suspicious links\nand placing telephone calls asking for sensitive information\xe2\x80\x94to verify that\npersonnel are applying the knowledge learned in required annual security\nawareness training. In addition, OCIO requires users that access the COE accept\nthe DOT Rules of Behaviors (RoB), which reference the security awareness\nrequirements, prior to accessing the network. OCIO could not provide evidence\nthat it or the OAs conduct periodic exercises to assess the effectiveness of the\nannual security awareness training and compliance with RoBs related to social\nengineering e-mails.\n\nTo test users\xe2\x80\x99 security awareness, we sent emails that were crafted to look\nsuspicious to 493 selected COE users from across the OAs. We found that at least\n13 8 users opened the emails, clicked on the links, and were redirected to our test\n\n7\n Established in 2004, DOT\xe2\x80\x99s CSMC is responsible for providing intrusion detection monitoring services.\n8\n Our testing tool, which did not properly log and process all connections, logged thirteen attempts to connect, but our\nobservation of network traffic showed more connections.\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0c FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                   6\n\nserver without their knowledge. Had this been an actual attack, the user would\nhave allowed the attacker access to his or her computer and the COE network. In\naddition, none of the 493 users reported the suspicious emails to security officials,\nas DOT\xe2\x80\x99s security training suggest.\n\nOCIO\xe2\x80\x99S MANAGEMENT PRACTICES CREATE WEAKNESSES\nTHAT MAKE THE COE VULNERABLE TO COMPROMISE\n\nSome of OCIO\xe2\x80\x99s management practices for the COE create security weaknesses\nthat make the system and its data vulnerable to complete compromise. These\npractices include: poor configuration management and insufficient applications\nand systems\xe2\x80\x99 security testing; lack of an accurate inventory of devices that are\nconnected to the COE; weak user identity authentication methods; a lack of\nsufficient tracking of system security weaknesses; and a lack of required\npenetration testing.\n\nOCIO Has Not Securely Configured All COE Systems\n\nOCIO has not properly configured all COE systems to operate securely. NIST\nrecommends security practices for designing, implementing, and operating\npublicly accessible Web servers, including related network infrastructure issues. In\naddition, DOT policy requires OAs to allow only the authorized access necessary\nfor users to accomplish their assigned tasks, and to configure information systems\nto provide only essential capabilities.\n\nWe tested 205 public Websites and found that 30 of them had vulnerabilities that\ncould be used to access proprietary data, redirect visitors to malicious sites, take\ncontrol of server operations, and/or allow unauthorized access to video\nconferencing. For example:\n\n\xe2\x80\xa2 (FOUO) A file server had settings that would allow users to read and write data\n  without passwords and, consequently, easily manipulate data without authority.\n\n\n\n\n\xe2\x80\xa2 (FOUO) Five servers\n  could allow access to all systems running on each server.\n\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0c FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                                             7\n\n\n\xe2\x80\xa2\n\n\n\nThese vulnerabilities increase the risk that the data and personal information of\nDOT employees, DOT contractors, and the public could be compromised by\nunauthorized access.\n\nOCIO Lacks an Effective Method to Identify Devices on the COE\n\nOCIO has not implemented a tool to manage the complete inventory of devices\nconnected to the COE\xe2\x80\x99s network, including those used for wireless access. DOT\xe2\x80\x99s\nCybersecurity policy requires all OAs to collect device inventories through\nscanning and other continuous monitoring efforts. OCIO provided us with output\nfrom several inventory tools, but none presented an accurate accounting of the\ndevices present on the network during our tests. For example, OCIO provided\ndocumentation generated by Microsoft Sharepoint, which is used to store and track\nelectronic documents or images, and BMC Remedy, commercial software for\nmanaging information system assets. However, this documentation did not include\na complete list of all devices on the COE.\n\nFurthermore, OCIO cannot identify unauthorized or insecure wireless access\npoints that allow wireless devices, such as cell phones, to connect to a network. It\ncould not account for 443 wireless access points at DOT Headquarters, 190 of\nwhich were not secure. For example, 186 access points were not encrypted and 4\nused weak encryption. Because it lacks an accurate inventory, OCIO does not\nknow when unauthorized devices are present on the COE\xe2\x80\x99s network. As a result,\nduring our review, we were unable to determine which devices were authorized\nand which were not.\n\nOCIO Has Not Established Multifactor Identity Authentication for COE\nUsers\n\n(FOUO) OCIO has not implemented multifactor identity authentication for all\nCOE users,                            We first reported this finding in our 2009\n               10\nFISMA audit. NIST guidance and DOT policy require both employees and\ncontractors to use personal identity verification (PIV) cards for identity\nauthentication. DOT policy also requires system owners and administrators to use\n\n10\n     Audit of DOT\xe2\x80\x99s Information Security Program and Practices, OIG Report FI-2010-023, November 18, 2009.\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n\n                                                                                                          8\n\nmultifactor authentication to access the accounts that they use to modify systems.\nOCIO\xe2\x80\x99s plans for multifactor authentication include use of PIV cards, but OCIO\nhas not completed implementation of these cards for all Department employees\nand contractors.\n                                                          Because it has not fully\nimplemented multifactor authentication, OCIO cannot be sure that only authorized\nusers can access the COE.\n\nOCIO Does Not Perform Required Security Testing on the COE\n\nOCIO does not ensure that all computer servers connected to the COE are scanned\nfor vulnerabilities or that identified weaknesses are remediated. 11 We selected a\nrandom sample of 134 out of 5,735 computers, and were able to scan 99, or 73.9\npercent, successfully. We therefore estimate that the number of computers in the\nuniverse that could have been scanned successfully at the time of our testing was\n4,237. 12 We found 34 (34.3%) out of our 99 computers had 86 Critical Issues.\nBased on these findings, we estimate that our universe of 4,237 computers had\n3,681 critical issues. 13\n\n(FOUO) Furthermore, OCIO has not performed penetration testing on security\ncontrols to identify and mitigate security weaknesses that could allow the COE\xe2\x80\x99s\ncompromise. DOT Cybersecurity policy requires OAs to scan their systems on a\nmonthly basis for vulnerabilities, and to determine when new vulnerabilities were\nidentified and reported. The policy also requires OAs to perform annual\npenetration testing on high impact systems such as the COE. However, OCIO\ncould not provide us with reports of monthly vulnerability scans for its systems or\nits OAs\xe2\x80\x99 systems. OCIO also could not provide us with evidence that it had\nperformed annual penetration testing on the COE\n\n\n\nOCIO Does Not Properly Track the COE\xe2\x80\x99s Known Weaknesses for\nRemediation\n\n(FOUO) OCIO and the OAs do not create, review, and enter POA&Ms into the\nDepartment\xe2\x80\x99s CSAM system. DOT\xe2\x80\x99s Cybersecurity policy requires OAs to enter\nand maintain all identified security weaknesses and their POA&Ms in CSAM. We\n\n11\n   In some cases, OAs have agreed to perform scanning and remediation, but OCIO cannot ensure that this is\nhappening.\n12\n   Our best estimate of 4,237 computers has a precision of +/-355 at the 90 percent confidence level.\n13\n   Our best estimate of 3,681 critical issues as a precision of +/-1,100 at the 90 percent confidence level.\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                                                     9\n\ncould not locate in CSAM the POA&Ms prepared as a result of OCIO\xe2\x80\x99s 2012\nsecurity certification and authorization assessment 14\n          COE staff told us that they kept identified security weaknesses in a\nMicrosoft access database independent of CSAM. However, this database did not\ninclude all required information for effective vulnerability and remediation\ntracking. Furthermore, the use of any repository other than CSAM hinders the\nDepartment\xe2\x80\x99s ability to identify, assess, prioritize, and monitor corrective actions\nfor remediating security weaknesses. During our audit, COE staff informed us that\nthey had initiated corrective actions to load security weaknesses into CSAM but\ndid not provide a scheduled date for completion.\n\nCONCLUSION\n\nCyber threats such as hackers and social engineering present substantial risks to\nthe security of Federal information systems. OCIO and most OAs depend on the\nCOE for vital information technology services, and to protect their sensitive\ninformation. However, because of OCIO\xe2\x80\x99s weak security management practices, a\nnumber of vulnerabilities exist in the COE that could compromise its operations.\nThis lack of important security controls prevents OCIO from fully safeguarding\nthe confidentiality of the sensitive data that resides on the COE, as well as\nensuring the availability of COE services, and maintaining the integrity of its\ninformation. Until steps are taken to enhance the COE\xe2\x80\x99s security controls, outside\nattackers using the basic methods we used in our tests could seriously compromise\nthe DOT\xe2\x80\x99s operations.\n\nRECOMMENDATIONS\n\nWe recommend that the Chief Information Officer:\n\n1.                  Enforce\n                       password complexity requirements\n                            in accordance with Departmental Cybersecurity\n     Compendium Order 1351.37.\n\n2. Monitor OAs periodic exercises that test COE users\xe2\x80\x99 knowledge of security\n   requirements when accessing emails on the Government network.\n\n3. Use automated tools, such as vulnerability scanners or Web application\n   scanners to monitor applications residing in the COE on a constant basis, and\n14\n  OMB Circular A-130, Appendix III states that Federal agencies must certify and accredit their systems for security\ncompliance. Certification and accreditation require each agency to assess its systems for security risks, test security\ncontrols, and create POA&Ms to resolve identified weaknesses.\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                               10\n\n   require each OA to mitigate vulnerabilities in its system or remove the systems\n   from the network.\n\n4. Develop and maintain a complete inventory (current registry) of authorized\n   network devices (including wireless) accessible to staff who monitor\n   departmental networks.\n\n5. Ensure the system owners perform regular vulnerability assessments and scans\n   of all internal systems to identify known vulnerabilities and common\n   misconfigurations, and establish a practice to ensure that OAs and OCIO are\n   collaborating and agreeing on remediation plans.\n\n6. Perform annual penetration testing of the COE as required by DOT policy.\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nWe provided the Department\xe2\x80\x99s OCIO with a draft of this report on July 16, 2013,\nand received its written response on August 16, 2013, which is included in its\nentirety as an Appendix to this report. In its response, OCIO concurred with all 6\nrecommendations. The OCIO reported that the recommendations will receive the\nhighest priority and commits to work with the operating administrations to achieve\nthe results within the planned timeframes.\n\nACTIONS REQUIRED\n\nWe consider OCIO\xe2\x80\x99s planned actions and target dates responsive to all our\nrecommendations and consider them resolved but open pending completion of the\nplanned actions. We appreciate the courtesies and cooperation of the Department\nof Transportation\xe2\x80\x99s representatives during this audit. If you have any questions\nconcerning this report, please call me at (202) 366-1407.\n\n\n                                        #\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    CIO Council Members\n    DOT Audit Liaison, M-1\n\n\n\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                                          11\n\nEXHIBIT A. SCOPE AND METHODOLOGY\n\nWe performed our network security assessment between February 2012 and\nJuly 2013 at DOT Headquarters in Washington, D.C., and in accordance with\ngenerally accepted Government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide\na reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\nTo address our audit objectives, we used the guidance provided in\nNIST SP 800-115 Technical Guide to Information Security Testing and\nAssessment (September 2008) 15 to perform a penetration test and vulnerability\nassessment of the COE using widely available tools and techniques. We\ninterviewed DOT\xe2\x80\x99s CIO, information technology contractors, and senior\nleadership to determine what information and resources were critical to COE\xe2\x80\x99s\noperation and how protections were implemented. We reviewed and analyzed\ndocuments, policies, and procedures related to COE\xe2\x80\x99s network infrastructure and\nWebsites.\n\nTo address vulnerabilities that could be exploited via the internet, we performed a\npenetration test on 205 servers residing in the COE that provided Web services to\nDOT personnel and the public. We also employed social engineering techniques\non a random sample of COE users to assess their compliance with security\nawareness training.\n\nFinally, we used a statistical sample of 134 out of 5,735 computers provided by\nCOE\xe2\x80\x99s management to test for vulnerabilities. We were able to scan 99, or 73.9\npercent, successfully resulting in an estimated universe of 4,237. 16 For those\ncomputers available at the time of testing, we found 34 (34.3%) out of our 99\ncomputers had 86 Critical Issues. This statistical sample allowed us to project that\nour universe of 4,237 computers had 3,681 critical issues, within a 90 percent\nconfidence level and a margin of error of 6.2 percentage points for the available\ncomputers. We used a NIST validated vulnerability assessment tool to determine\nwhether the system had security weaknesses that could be exploited.\n\n\n\n\n15\n     http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf\n16\n     Our best estimate of 4,237 computers has a precision of +/-355 at the 90 percent confidence level.\n\nExhibit A. Scope and Methodology\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                             12\n\n EXHIBIT B. Related FISMA Recommendations\n\n FISMA 2011: Persistent Weakness In DOT\xe2\x80\x99s Controls Challenge The\n Protection and Security of Its Information Systems, FI-2012-007,\n November 14, 2011.\nRec # Status    Recommendation\n  2   Open      In conjunction with OA CIOs, establish incident monitoring\n                and detection capabilities to include all of the Department's\n                systems and facilitate central and real-time reporting.\n  5   Open      In conjunction with OA CIOs, verify that minimum security\n                controls are adequately tested for deficient systems.\n\n\n FISMA 2010: Timely Actions Needed To Improve DOT\xe2\x80\x99s Cybersecurity, FI-\n 2011-022, November 15, 2010.\nRec # Status    Recommendation\n\n\n 23   Open      Implement the use of PIV cards as the primary\n                authentication mechanism to support multi-factor\n                authentication at the system and application level for all\n                DOT's employees and contractors.\n\n FISMA 2009: Audit of DOT\xe2\x80\x99s Information Security Program and Practices,\n FI-2010-023, November 18, 2009\n No Status     Recommendation\n 16 Open       Ensure accurate information is used to monitor Operating\n               Administrations\xe2\x80\x99 progress in correcting security weaknesses.\n\n\n\n\n Exhibit B. Related FISM A Recommendations\n\n FOR OFFICIAL USE ONLY. Public Availability To Be Determined under 5\n U.S.C. 552, Freedom of Information Act.\n\n FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                         13\n\n\n\n EXHIBIT C. MAJOR CONTRIBUTORS TO THIS REPORT\n Name                                       Title\n\n Nathan Custer                       Program Director\n\n Michael Marshlick                   Project Manager\n\n Felicia Moore                       Information Technology Specialist\n\n Jenelle Morris                      Information Technology Specialist\n\n Tracy Colligan                      Information Technology Specialist\n\n Nileshkumar Patel                   Information Technology Specialist\n\n Susan Neill                         Writer-Editor\n\n Megha Joshipura                     Statistician\n\n\n\n\n Exhibit C. Major Contributors to This Report\n\n FOR OFFICIAL USE ONLY. Public Availability To Be\n Determined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0c           FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                            14\n\n            APPENDIX. AGENCY COMMENTS\n\n\n\n\n            U.S. Department of\n                                                  Memorandum\n            Transportation\n\nSubject:                                                              Date:\n           ACTION: Response to the Office of Inspector\n           General Draft Report on Common Operating\n           Environment Security\n\n    To:    Louis C. King                                           Reply to\n                                                                   Attn. of:\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n  From:    Richard McKinney\n           Chief Information Officer\n\n\n            DOT Focusing on Comprehensive Security Enhancements\n\n            The Office of the Chief Information Officer is making substantive changes to the\n            Common Operating Environment (COE) to make the environment more secure for\n            the systems it controls and operates, and for the systems it supports for the\n            Operating Administrations (OAs) here at the Department. As the new CIO at\n            DOT, I have committed to making cyber security the top priority. Improving our\n            cyber security posture will require gaining the commitment of management and\n            staff throughout the Department to make our cyber environment as safe and secure\n            as possible. Getting the basics right is key to successfully achieving this goal so\n            we are using a comprehensive team approach to planning and implementing the\n            foundational elements along with developing longer term plans.\n\n            This renewed emphasis on having a secure environment acknowledges the\n            significance of the OIGs findings, which we have already begun to address. While\n            no open information technology (IT) environment can be completely safe from\n            compromise, DOT has made great strides in making the COE environment safer\n            with the addition of tighter controls, greater emphasis on continuous monitoring,\n            and investing resources in better hardware and software. All our recent\n            advancements balance the increasing risk threshold to DOT against the scarce\n            resources at our disposal, but we will continue to balance the two competing\n            forces to achieve our long term goals.\n\n            Appendix. Agency Comments\n\n            FOR OFFICIAL USE ONLY. Public Availability To Be\n            Determined under 5 U.S.C. 552, Freedom of Information Act.\n\n           FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                15\n\n\n\n\nThe Information Technology Shared Services (ITSS) organization has actions\nunderway that meet or exceed the elements within the OIG recommendations. For\nexample, the organization is working to better enforce Standard Operating\nProcedures (SOPs) for the Federal and contractor staffs supporting the COE,\nenforcing the Service Level Agreements (SLAs) with our OA partners to ensure\nboth parties are fully aware and in compliance with the SLAs, and pulling the\nresources necessary to monitor our environment on a continuous basis to ensure\nthe equipment connected to the COE is known or authorized. Additionally, the\nITSS organization will more formally partner with the OAs and the DOT Chief\nInformation Security Officer's (CISO) organization to look for ways to enhance\nsecurity training throughout the Department and make all DOT employees more\nconscious of security risks and their role in maintaining a secure environment.\nFurthermore, I am committed to significantly increasing the number of staff\nassigned to the critical area of cyber-security in both the COE and the CISO\noffice.\n\nCoordinated ITSS and OA Effort Critical for COE Cyber Security\nImprovement\n\nAchieving progress in improving the cybersecurity posture of the COE will\nrequire leadership by the ITSS organization along with coordinated and consistent\ncooperation from across the operating administrations. The COE is the\ngovernment-owned, contractor-developed, and supported Government Services\nSolutions (GSS) that provides the OAs with common IT services such as\nidentification and authentication domain requirements, file and print functions,\nmessaging and directory capabilities such as electronic mail and web application\naccess and database services. The COE's architecture provides a hosting\nenvironment for numerous major applications employed by the various OAs in\nsupport of their individual operational requirements. In addition, several\napplications necessary to support operations by all of the OAs have been\nintegrated into the COE environment. The DOT Common Operating Environment\nconsists of 4 major systems, Campus Area Network (CAN), Computing Services,\nMessaging Services, and Helpdesk Services. Comprehensive, cooperative and\nsustained efforts among all participants in the COE will be critical to the success\nof our endeavors;\n\n\n\n\nAppendix. Agency Comments\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICAL USE INFORMAION WAS REDACTED FOR PUBLIC RELEASE\n\x0c FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n                                                                                  16\n\n\nRecommendation Prioritization\n\nAs a practical reality in light of the ongoing constraints on resources, and in order\nto align actions with our risk-based approach to cyber security, each of the\nresponses to the OIG recommendations is accompanied by one of the following\nprioritization levels.\n\nRanking A: Recommendation will receive the highest priority and ITSS commits\nto work with the operating administrations to achieve the results within the\ntimeframe specified.\n\nRanking B: ITSS will seek to include resources for action in upcoming budget\ncycles or reprioritize current year end funds, to the extent that they might become\navailable. Implementation will commence only when funding is secured.\n\nRanking C: Based on the priority of compliance with direction from OMB, along\nwith other priority use of funding and staffing, these actions would be addressed\nafter priority A and B are completed or if there were an unexpected surfeit of\nfunds.\n\nOne final note: the specific actions to implement the recommendations are\ndescribed at a high level within the context of this document. More detailed action\nplans are being developed and will be shared separately with the OIG to avoid\npotential concerns with sensitive security information in this response.\n\n\n\n\nAppendix. Agency Comments\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                17\n\n\n\nRECOMMENDATIONS AND RESPONSE\n\n       Recommendation 1: Enforce password complexity requirements\n                          in accordance with Departmental Cybersecurity\nCompendium Order 1351.37.\n\n          Response:     Concur. ITSS management has reviewed\n                         accounts to validate password complexity configuration\nsettings. ITSS will:\n\n   \xe2\x80\xa2         Enforce password complexity requirements for any\n             which the COE creates in accordance with DOT policy.\n   \xe2\x80\xa2          Update standard operating procedures (SOP) for the COE\n                    to include validation of password configuration setting\n     compliance at least annually or whenever events occur (install, recovery,\n     major change) to affect enforcement of DOT requirements.\n\nThis recommendation is considered priority ranking A. The first task outlined\nabove will be completed no later than October 1, 2013. The second task, while\nstill an A ranking, will take additional time and resources, but is planned for\ncompletion no later than March 31, 2014.\n\nRecommendation 2: Monitor OAs periodic exercises that test COE users'\nknowledge of security requirements when accessing emails on the Government\nnetwork.\n\nResponse: Concur. The CIO will collaborate with the OAs on enhanced security\ntraining programs that includes greater emphasis on topics such as spear phishing\nand other social engineering topics. ITSS will leverage these collaborative efforts\nand use these enhanced security training programs to help ensure full participation\nof the ITSS staff. In addition, ITSS will develop a security awareness\ncommunication plan that provides security information in multiple formats such\nas, emails and posters that bring additional attention to cyber security issues.\n\nThis recommendation is considered priority ranking A. The tasks outlined in this\naction are planned for completion no later than September 30, 2014.\n\n\n\nAppendix. Agency Comments\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\n FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                               18\n\n\n\nRecommendation 3: Use automated tools, such as vulnerability scanners or Web\napplication scanners to monitor applications residing in the COE on a constant\nbasis, and require each OA to mitigate vulnerabilities in its system or remove the\nsystems from the network.\n\nResponse: Concur. ITSS has adopted the DOT CISO developed and approved\nSecurity Authorization and Continuous Monitoring Guide 23 January 2013. To\nconsistently address the recommendations, ITSS will:\n\n   \xe2\x80\xa2 Coordinate regular web scans with the Cyber Security Management Center\n     (CSMC) for identified web servers and applications;\n   \xe2\x80\xa2 Issue a memorandum from the Associate CIO for ITSS to the OA CIOs,\n     directing them to remediate or mitigate vulnerabilities in systems they\n     administer that are connected to the COE.\n\nThis recommendation is considered priority ranking A. The tasks outlined in this\naction are planned for completion no later than March 31, 2014.\n\nRecommendation 4: Develop and maintain a complete inventory (current\nregistry) of authorized network devices (including wireless) accessible to staff\nwho monitor departmental networks.\n\nResponse: Concur. The ITSS will maintain a registry of authorized devices on\nthe COE network that can be provided at any point in time. Furthermore ITSS will\ntake steps to minimize the risk of permitting unauthorized access to the COE by\ndefining authorized devices, developing policy to add/remove devices from the\nCOE network, and establishing procedures to identify and maintain an inventory\nof authorized devices on the COE network. ITSS will also turn down access to\nunused network connections by disabling ports. These actions provide an\neffective set of actions that can be implemented to fulfill the intent of this\nrecommendation.\n\nThis recommendation is considered priority ranking A. The tasks outlined in this\naction are planned for completion no later than March 31, 2014.\n\nAs a supplemental action, ITSS will implement a robust Network Access Control\n(NAC) solution that would further prevent access to the COE network by\nunauthorized devices. This action is considered priority ranking B.\n\nAppendix. Agency Comments\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0cFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                              19\n\n\n\nRecommendation 5: Ensure the system owners perform regular vulnerability\nassessments and scans of internal systems to identify known vulnerabilities and\ncommon\nmisconfigurations, and establish a practice to ensure that OAs and OCIO are\ncollaborating and agreeing on remediation plans.\n\nResponse: Concur. The ITSS organization will partner with the OAs to develop\nremediation plans and identify known vulnerabilities and common\nmisconfigurations. Additionally, ITSS will establish a practice to ensure OAs and\nOCIO are collaborating and agreeing on remediation plans.\n\nSpecifically, ITSS will:\n\n   \xe2\x80\xa2 Coordinate with the DOT CISO and the CSMC to implement credentialed\n     scans for the COE network, where COE provides the majority of support\n     for the network;\n   \xe2\x80\xa2 Implement a process to communicate identified vulnerabilities to\n     appropriate OA personnel;\n   \xe2\x80\xa2 Require OAs to provide status updates and remediation plans as part of the\n     memorandum to be issued in response to Recommendation 3.\n\nThese processes are considered priority ranking A. The tasks outlined in this\naction are planned for completion no later than June 30, 2014.\n\nIn addition, as a supplemental action, ITSS will implement appropriate automated\ncontinuous monitoring capabilities to assess COE managed assets for\nvulnerabilities and configuration compliance. This action is considered priority\nranking B.\n\nRecommendation 6: Perform annual penetration testing as required by DOT\npolicy.\n\nResponse: Concur. In compliance with DOT policy and the established Rules of\nEngagement (ROE) for penetration testing, the COE will engage an independent\nassessor to perform the testing.\n\nThis recommendation is considered priority ranking A. The task outlined in this\naction is planned for completion no later than March 31, 2014.\n\nAppendix. Agency Comments\n\nFOR OFFICIAL USE ONLY. Public Availability To Be\nDetermined under 5 U.S.C. 552, Freedom of Information Act.\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0c  FOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\n                                                                                20\n\n\n\n\n  The Office of the Chief Information Officer (OCIO) appreciates the opportunity to\n  review and respond to the report. If you have any questions concerning this\n  response, please contact Thomas Jackowski, Acting Associate CIO for IT Shared\n  Services, at (202) 493-0382.\n\n\n\n\n  Appendix. Agency Comments\n\n  FOR OFFICIAL USE ONLY. Public Availability To Be\n  Determined under 5 U.S.C. 552, Freedom of Information Act.\n\nFOR OFFICIAL USE INFORMATION WAS REDACTED FOR PUBLIC RELEASE\n\x0c"